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1 This action is in response to the communication filed on 5/8/2007. 

2 DETAILED ACTION 

3 Response to Arguments 

4 Applicant's arguments with respect to claims 24-37 have been considered and are not 

5 found persuasive. 

6 The applicant has requested a more detailed explanation of where Kocher2 teaches the 

7 following limitations: 

8 A) What is being interpreted as the first random number? 

9 B) What is being interpreted as the second random number? 

1 0 C) Where is the first random number permuted? 

1 1 D) Where is the second random number permuted? 

12 E) Where is the XOR of the results of these permuted random numbers? 
13 

14 Regarding A), the first random number of Kocher2 is comprised of the bits 'b' (random 

15 blinding bits) as disclosed in Col. 12 Lines 45-47 and shown in pseudo-code in Col. 1 1 Lines 57- 

16 63 (the section labeled "Blind: temp=blinded input, dataOut=unblinding factor"). 

17 Regarding B), the second random number of Kocher2 is comprised of the bits of TEMP, 

1 8 which is disclosed as being the result of XOR operation between the input and the random 

19 blinding bits, as can be seen in Col. 12 Lines 47-50, as well as being shown in pseudo-code in 

20 Col. 1 1 Lines 57-63 (the section labeled "Blind: temp=blinded input, dataOut=unblinding 

21 factor"). Note that in the pseudo-code, a ' A ' represents the XOR operation. 
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1 Regarding C), the first random number is permuted when the output buffer is initialized 

2 with the blinding bits, as seen in Col. 12 Lines 51-53, as well as being shown in pseudo-code in 

3 Col. 1 1 Lines 57-63 (the section labeled "Blind: temp=blinded input, dataOut=unblinding 

4 factor"). This becomes clearer upon examining the pseudo-code of Kocher2, and upon 

5 understanding that "table[p]" is the permutation table (See Kocher2 Col. 1 1 Lines 20-21), 

6 wherein each of the 64 random blinding bits (first random number) is placed in the output buffer 

7 "dataOut" according to the permutation table "table[p]'\ This occurs in the pseudo-code 

8 "dataOut[table[p]]=b;'\ 



9 The following example may be helpful in understanding how permutation is occurring 

10 according to Kocher2. For simplicity sake, the following example assumes 4 bit permutation 

1 1 instead of the 64 bit permutation used in the example pseudo-code of Kocher2. The example 

12 further assumes that perm[i]=i. This assumption is being made because perm[i] is simply used to 

13 change the time at which each bit is permuted, so that, for example, bit 2 is permuted first as 

14 opposed to bit 0 being permuted first. Perm[i] is irrelevant to the explanation of where the 

1 5 permutation occurs, and by assuming that perm[i]=i, p=i and we can just replace all the £ p's with 

16 Ts in the pseudo-code. 

17 Example: - 

18 table[i] - [2, 1, 3, 0] (that is table[0]=2, table[l]=l, table[2]=3, and table[3]-0) 

19 b[i] = [a, b, c, d] (letters are being used to help illustrate the permutation) 

20 dataOut[table[i]] - b[i] 

21 So when i = 0, tablefi] = table[0] = 2, so dataOut[2] is filled with the first random 

22 blinding bit b[0], which is a. 
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1 When i = 1, table[i] = table[l] = 1, so dataOut[l] is filled with the second random 

2 blinding bit b[l], which is b. 

3 When i = 2, table[i] = table[2] = 3, so dataOut[3] is filled with the first random blinding 

4 bit b[2], which is c. 

5 When i = 3, tablefi] = table[3] = 0, so the fourth bit of dataOut is filled with the first 

6 random blinding bit b[3], which is d. 

7 This results in dataOut[] containing the permuted random blinding bits [d, b, a, c], 

8 As can be seen from the above example, the first random number has been permuted and 

9 stored in dataOut[]. 
10 

1 1 Regarding D), the second random number (temp[]) is permuted when Kocher2 performs 

12 the final bit permutation, as seen in Col. 12 Lines 1-10 and 56-59. Similar to the explanation of 

13 C) above, the permutation of the blinded input temp[] occurs in the step: 

14 dataOut[table[p]] A = temp[p] (in the pseudo-code " A " is XOR) 

1 5 This step permutes the data in temp[p] to the location indicated by table[p], XOR's 

16 temp[p] with the permuted first random number stored at dataOut[table[p]], and stores the result 

17 of this XOR in dataOut[table[p]]. 
18 

1 9 Regarding E), the permuted first random number is XORed with the permuted second 

20 random number when Kocher2 performs the final bit permutation, as seen in Col. 12 Lines 1-10 

21 and 56-60. Similar to the explanation of C) above, the permutation of the second random 

22 number temp[] occurs in the step: 
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1 dataOut[table[p]] A = temp[p] (in the pseudo-code " A " is XOR) 

2 This step permutes the second random number in temp[p] to the location indicated by 

3 table[p], XOR's temp[p] with the permuted first random number stored at dataOut[table[p]], and 

4 stores the result of this XOR in dataOut[table[p]]. 

5 The examiner has shown how Kocher2 does, in fact, teach the claim limitations 

6 which have been contested by the applicant, and, as such, has maintained the previously 

7 presented prior art rejections. 
8 

9 Claims 1-23 have been cancelled and claims 24-37 have been examined. 

10 

1 1 Claim Rejections - 35 USC §103 

12 The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

13 obviousness rejections set forth in this Office action: 

14 (a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 

1 5 section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 

1 6 such that the subject matter as a whole would have been obvious at the time the invention was made to a person 

1 7 having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 

1 8 manner in which the invention was made. 
19 

20 Claims 24-37 are rejected under 35 U.S.C. 103(a) as being unpatentable over Kocher et 

21 al. (US Patent Number 6,278,783) hereinafter referred to as Kocher 1, and further in view of 

22 Kocher et al. (US Patent Number 6,327,661) hereinafter referred to as Kocher2. 

23 Regarding claim 24, Kocher 1 disclosed a countermeasure method in an electronic 

24 component that implements the DES cryptographic algorithm in which multiple rounds of 

25 calculation are performed on input data (See Kocherl Abstract), wherein each round of 

26 calculation includes at least the following operations: a first permutation of data (See Kocherl 
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1 Col. 10 Lines 55-60); manipulation of the permuted data by a secret key (See Kocherl Col. 10 

2 Line 61 - Col. 1 1 Line 5); a table look-up operation based on the manipulated data (See Kocherl 

3 Col. 1 1 Lines 6-7); and a second permutation of data (See Kocherl Col. 1 1 Lines 7-11), but 

4 Kocherl failed to disclose wherein, for a plurality of successive rounds of said algorithm, at least 

5 one of said first and second permutations of data comprises the following steps: selecting a first 

6 random value having the same size as the data being permuted, performing an exclusive-or 

7 operation between the data being permuted and the first random value to generate a second 

8 random value, executing said permutation operation on each of the first and second random 

9 values, to generate respective first and second random results, and performing an exclusive-or 

10 operation between said first and second random results to produce a final permuted result. 

1 1 Kocher2 teaches that in order to protect against external monitoring attacks, processes, 

12 including DES permutations, should be performed using a leak-minimized permutation operation 

13 (See Kocher2 Col. 10 Line 50 - Col. 13 Line 19). Kocher further describes that the permutation 

14 operations should be altered by selecting a first random value having the same size as the data 

15 being permuted, performing an exclusive-or operation between the data being permuted and the 

16 first random value to generate a second random value, executing said permutation operation on 

17 each of the first and second random values, to generate respective first and second random 

18 results, and performing an exclusive-or operation between said first and second random results to 

19 produce a final permuted result (See Kocher Col. 12 Lines 20-60). 

20 It would have been obvious to the ordinary person skilled in the art at the time of 

21 invention to employ the teachings of Kocher2 in the DES system of Kocherl by performing the 

22 permutation processing according to the leak-minimized permutation operation. This would 



Application/Control Number: 09/913,884 Page 7 

Art Unit: 2131 

1 have been obvious because the ordinary person skilled in the art would have been motivated to 

2 protect the permutation processing from external monitoring attacks. 

3 Regarding claim 3 1, Kocherl disclosed an electronic component that implements the 

4 DES cryptographic algorithm in which multiple rounds of calculation are performed on input 

5 data, said electronic component including a microprocessor that executes the following 

6 operations during each round of calculation (See Kocherl Abstract): a first permutation of data 

7 (See Kocherl Col. 10 Lines 55-60); manipulation of the permuted data by a secret key (See 

8 Kocherl Col. 10 Line 61 - Col. 1 1 Line 5); a table look-up operation based on the manipulated 

9 data (See Kocherl Col. 1 1 Lines 6-7); and a second permutation of data (See Kocherl Col. 1 1 

10 Lines 7-1 1), but Kocherl failed to disclose wherein, for a plurality of successive rounds of said 

1 1 algorithm, at least one of said first and second permutations of data comprises the following 

12 steps: selecting a first random value having the same size as the data being permuted, performing 

13 an exclusive-or operation between the data being permuted and the first random value to 

14 generate a second random value, executing said permutation operation on each of the first and 

1 5 second random values, to generate respective first and second random results, and performing an 

16 exclusive-or operation between said first and second random results to produce a final permuted 

17 result. 

1 8 Kocher2 teaches that in order to protect against external monitoring attacks, processes, 

19 including DES permutations, should be performed using a leak-minimized permutation operation 

20 (See Kocher2 Col. 10 Line 50 - Col. 13 Line 19). Kocher further describes that the permutation 

21 operations should be altered by selecting a first random value having the same size as the data 

22 being permuted, performing an exclusive-or operation between the data being permuted and the 



Application/Control Number: 09/913,884 Page 8 

Art Unit: 2131 



1 first random value to generate a second random value, executing said permutation operation on 

2 each of the first and second random values, to generate respective first and second random 

3 results, and performing an exclusive-or operation between said first and second random results to 

4 produce a final permuted result (See Kocher Col. 12 Lines 20-60). 

5 It would have been obvious to the ordinary person skilled in the art at the time of 



6 invention to employ the teachings of Kocher2 in the DES system of Kocher 1 by performing the 

7 permutation processing according to the leak-minimized permutation operation. This would 

8 have been obvious because the ordinary person skilled in the art would have been motivated to 



9 protect the permutation processing from external monitoring attacks. 

10 Regarding claims 25 and 32, Kocherl and Kocher2 disclosed performing both of said 

1 1 first and second permutation operations in each of said plurality of successive rounds (See the 

12 rejection of claims 24 and 3 1 above). 

13 Regarding claims 26 and 33, Kocherl and Kocher2 disclosed that the first and second 

14 permutation operations utilize different respective first random values (See Kocher2 Col. 12 

15 Lines 45-47). 

16 Regarding claims 27 and 34, Kocherl and Kocher2 disclosed that said plurality of 

17 successive rounds comprise a first set of successive rounds consisting of the first three rounds of 

1 8 said algorithm, and a second set of successive rounds consisting of the last three rounds of said 

19 algorithm (See the rejection of claims 24 and 3 1 above as well as Kocherl Fig. 1). 

20 Regarding claims 28 and 35, Kocherl and Kocher2 disclosed that the manipulation 

21 operation performed during said plurality of successive rounds comprises the following steps: 

22 performing an exclusive-or operation between said secret key and a third random value having 
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1 the same size as said key, to generate a fourth random value; performing bit-by-bit operations on 

2 each of said third and fourth random values to produce a pair of intermediate keys; manipulating 

3 the result of said first permutation operation with one of said intermediate keys to produce an 

4 intermediate result, and manipulating said intermediate result with the other of said intermediate 

5 keys to produce an output data item (See Kocherl Col. 10 Lines 16-24 and the rejections of 

6 claims 24 and 31 above). 

7 Regarding claims 29 and 36, Kocherl and Kocher2 disclosed that said manipulating steps 

8 comprise exclusive-or operations (See Kocher2 Col. 12 Lines 45-50). 

9 Regarding claims 30 and 37, Kocherl and Kocher2 disclosed that said bit-by-bit 

10 operations comprise a key permutation operation, a shift operation and a compression 

1 1 permutation operation (See Kocherl Col. 10 Lines 16-24). 

1 2 Conclusion 

13 Claims 1-23 have been cancelled and claims 24-37 have been rejected. 

14 THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 

15 policy as set forth in 37 CFR 1.136(a). 

16 A shortened statutory period for reply to this final action is set to expire THREE 

17 MONTHS from the mailing date of this action. In the event a first reply is /filed within TWO 

1 8 MONTHS of the mailing date of this final action and the advisory action is not mailed until after 

19 the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 

20 will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 

21 CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
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1 however, will the statutory period for reply expire later than SIX MONTHS from the mailing 

2 date of this final action. 

3 Any inquiry concerning this communication or earlier communications from the 

4 examiner should be directed to Matthew T. Henning whose telephone number is (571) 272-3790. 

5 The examiner can normally be reached on M-F 8-4. 

6 If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

7 supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 

8 organization where this application or proceeding is assigned is 571-273-8300. 

9 Information regarding the status of an application may be obtained from the Patent 

10 Application Information Retrieval (PAIR) system. Status information for published applications 

1 1 may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 

1 2 applications is available through Private PAIR only. For more information about the PAIR 

13 system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 

14 system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 

1 5 like assistance from a USPTO Customer Service Representative or access to the automated 

16 information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

^V^> / AYAZ SHEIKH 

20 Matthew Henning SUPERVISORY PATENT EXAMINER 

21 Assistant Examiner TECHNOLOGY CENTER 2100 

22 Art Unit 2131 

23 7/12/2007 

24 



